Skip to content

psg2/env-sync

BranchesTags

Repository files navigation

@psg2/env-sync

Declarative env var management — one YAML config, multiple targets.

Define your env vars and secrets in env-sync.yaml, then sync them to local .env files, Vercel environments, or GitHub secrets in one command. Secrets are resolved from 1Password at sync time.

Install

bun add -g @psg2/env-sync

Quick Start

Create env-sync.yaml in your project root:

groups:
  local:
    PORT: "3000"
    DB_URL: postgres://localhost/myapp
    AUTH_SECRET: op://Development/myapp/AUTH_SECRET
    API_KEY: op://Development/myapp/API_KEY

  prod:
    AUTH_SECRET: op://Production/myapp/AUTH_SECRET
    API_KEY: op://Production/myapp/API_KEY

targets:
  local:
    type: file
    path: .env.local
    groups: [local]

  vercel-prod:
    type: vercel
    environments: [production]
    groups: [prod]
env-sync              # Sync all targets
env-sync local        # Just local .env.local
env-sync vercel-prod  # Just push to Vercel production
env-sync --dry-run    # Preview without changes
env-sync --list       # Show configured groups & targets

Config Reference

Groups

A group is a flat map of env vars. Each value is either a plain string or an op:// 1Password reference.

groups:
  my-group:
    PLAIN_VAR: some-value                 # Used as-is
    SECRET: op://Vault/Item/Field         # Resolved via 1Password CLI

When a target references multiple groups, vars are collected in order — first group wins on key conflicts.

Targets

File

Writes a .env-style file. Backs up existing file before overwriting.

targets:
  local:
    type: file
    path: .env.local          # Relative to env-sync.yaml
    groups: [infra, secrets]
    backup: true              # Default: true

Vercel

Pushes vars to Vercel environment(s) via the Vercel CLI. Backs up current env vars before overwriting.

targets:
  vercel-prod:
    type: vercel
    environments: [production]          # preview, production, development
    groups: [prod-secrets]
    project: my-app                     # Optional (uses linked project)
    redeploy: true                      # Optional (default: false)

GitHub

Pushes vars as GitHub repository secrets via the GitHub CLI.

targets:
  github:
    type: github
    secretType: actions                 # actions (default) or dependabot
    groups: [ci-secrets]
    repo: org/repo                      # Optional (uses current repo)
    environment: staging                # Optional (repo-level if omitted)

CLI

env-sync                       Sync all targets
env-sync <target> [target...]  Sync specific targets

Options:
  -c, --config <path>  Config file path (default: search upward)
  -n, --dry-run        Preview without making changes
  -l, --list           List configured targets and groups
  -h, --help           Show help
  -v, --version        Show version

Prerequisites

Feature Requires
1Password secrets op CLI + op signin
Vercel targets vercel CLI
GitHub targets gh CLI

The CLI checks for required tools before syncing and gives clear error messages.

Examples

See examples/ for complete configs — simple.yaml and full.yaml.

License

MIT

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.0 Latest
Mar 16, 2026

Packages

 
 
 

Contributors

Languages